CN104184675A - Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system - Google Patents
Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system Download PDFInfo
- Publication number
- CN104184675A CN104184675A CN201410460656.1A CN201410460656A CN104184675A CN 104184675 A CN104184675 A CN 104184675A CN 201410460656 A CN201410460656 A CN 201410460656A CN 104184675 A CN104184675 A CN 104184675A
- Authority
- CN
- China
- Prior art keywords
- address
- ipsec vpn
- equipment
- security
- load
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a load-balanced IPSec VPN device trunking system and a working method of the load-balanced IPSec VPN device trunking system. The load-balanced IPSec VPN device trunking system comprises a plurality of IPSec VPN devices, and a computing capability assessment module, an intra-group synchronization module, a load management module, an address transponder and a data classifier run on each IPSec VPN device. Unique and effective load balancing and unique and effective redundant backup of working IP addresses of IPSec VPN clusters composed of the different IPSec VPN devices are achieved, outbound IP data messages processed by the different IPSec VPN devices have the same source IP addresses, and inbound IP data messages can achieve automatic distribution of loads. Immediate synchronization of serial numbers and replay-resistant windows is achieved between the multiple different devices, and zero-interval seamless switching of the loads is achieved.
Description
Technical field
The invention belongs to data communication field, relate to a kind of IPSec VPN device clusters system and method for work thereof of load balancing.
Background technology
The abbreviation of IPSec:Internet Protocol Security, represents Internet protocol safety.A kind of frame structure of open standard, the communication of the security service of encrypting by use safety to guarantee to maintain secrecy on Internet agreement (IP) network;
VPN: VPN (virtual private network) (Virtual Private Network is called for short VPN) refers to the technology of setting up dedicated network in common network.Why it is called virtual net, mainly because the connection between any two nodes of whole VPN network does not have the required physical link end to end of traditional private network, but the network platform that framework provides in common network service provider, as Internet, ATM, (logical network on asynchronous transfer mode >, Frame Relay (frame relay) etc., user data transmits in logical links.It has contained the expansion across the dedicated network of the encapsulation of shared network or public network, encryption and authentication link.VPN has mainly adopted tunneling technique, encryption and decryption technology, key management technology and user and equipment identities authentication techniques.
Security strategy (SP): security strategy is generally by the unique mark of selector of quintuple form, this five-tuple comprises source IP address, object IP address, source transport layer port, object transport layer port, transport layer protocol number, has indicated the processing mode of clear data message: abandon, walk around IPSec or use ipsec security alliance to process.
Security Association (SA): Security Association is by tlv triple unique identification, this tlv triple comprises Security Parameter Index (SPI), object IP address (unicast address) and security protocol (AH or ESP) identifier, has indicated the concrete parameters such as the algorithm, key, anti-playback window, packaged type of IPSec handle packet.
Because IPSec VPN has adopted multiple safe practice, data are processed, and be the gateway place that is deployed in user network, be very high to the requirement of device processes Performance And Reliability, can adopt the technology of many IPSec VPN device clusters to solve the problem of Performance And Reliability.
The technical characterstic of IPSec VPN self is that the realization of many IPSec VPN device clusters is provided with two large obstacles, the one, tunnel encapsulation causes there is different source IP addresss through the departures IP datagram stationery of different IP Sec VPN device processes, and inbound IP datagram literary composition is because destination address difference cannot realize the automatic distribution of load; The 2nd, sequence number and anti-playback window, along with each data message upgrades, cannot be realized the instant synchronous of sequence number and anti-playback window between many distinct devices, hot-swap existing problems when fault.
Summary of the invention
For addressing the above problem, the invention provides a kind of IPSec VPN device clusters system of load balancing, comprise some IPSec VPN equipment, every IPSec VPN equipment has all moved computing capability evaluation module, group inter-sync module, load management module, address transponder, data sorter;
Computing capability evaluation module, for the computing of signing of IPSec VPN equipment when starting in same cluster, obtains the computing capability assessment result of its place IPSec VPN equipment;
Group inter-sync module is responsible for carrying out between all member devices in same cluster security strategy, Security Association and the presence mutual and synchronous and that the formation overall situation is consistent of security strategy, Security Association, presence and computing capability information;
Load management module obtains by group inter-sync information security strategy, Security Association and the presence that the overall situation is consistent, carry out the distribution of data payload according to the difference of each IPSec VPN equipment computing capability in group, and distribute the actual security strategy coming into force and Security Association are set according to the load of its place IPSec VPN equipment;
Address transponder is according to the unified virtual address information arranging of all IPSec VPN equipment in system, to the IP datagram literary composition from Intranet departures with carry out consistent response from the link layer address request of the inbound IP datagram literary composition of outer net;
Data sorter provides different processing paths to IP datagram literary composition out of the station within whether being in its place executed security strategy of IPSec VPN equipment or Security Association according to data message.
Further, every IPSec VPN equipment in described cluster all arranges a configurable ip multicast address, as address in group, group inter-sync module is regularly delivered to the security strategy of this TV station equipment, Security Association, presence and computing capability assessment result other member devices of cluster by the mode of multicast, also accept security strategy, Security Association, presence and the computing capability assessment result that other member devices pass over by multicast, form consistent security strategy and the Security Association of this cluster overall situation simultaneously.
Further, the each IPSec VPN of described device clusters equipment has shared virtual ip address, as the shared IPSec vpn tunneling source IP address of this cluster, the source IP address of all departures IP datagram literary compositions by this cluster processing after all using the shared virtual ip address of the each member device of this cluster as tunnel encapsulation, and all inbound IPSec messages taking this virtual ip address as object IP address will be received by all online member device in cluster.
Further, computing capability evaluation module moves 10,000 long RSA signature computings of 2048 bit moulds in the mode of multithreading, and calculates the signature speed that be unit in proper order/second, as the computing capability assessment result of its place IPSec VPN equipment.
The method of work of the IPSec VPN device clusters system of above-mentioned load balancing comprises the steps:
Step 1: for same IPSec VPN device clusters arranges the shared virtual ip address of each member device, as the shared IPSec vpn tunneling source IP address of this cluster;
Step 2: when the IPSec VPN equipment in same cluster starts, move computing capability evaluation module, obtain the computing capability assessment result of each IPSec VPN equipment;
Step 3: every IPSec VPN equipment in same cluster all arranges a configurable ip multicast address, as address in group;
Step 4: load management module is carried out the distribution of data payload according to the difference of each IPSec VPN equipment computing capability in group and distributed the actual security strategy coming into force and Security Association are set according to the load of the machine;
Step 5: under ethernet environment, the data message out of the station to each, virtual ip address or gateway ip address to IPSec VPN cluster carry out link layer address parsing, ask the MAC Address of 48 bits that virtual ip address or gateway ip address are corresponding;
Step 6: data sorter provides different processing paths to IP datagram literary composition out of the station within whether being in the executed security strategy of the machine or Security Association scope according to the data message receiving.
Further, described step 4 is specially:
First, sort and number unified all devices in cluster according to each member device real ip address order from big to small; For global safety strategy, according to the five-tuple sequence from big to small successively of source IP address, object IP address, source transport layer port, object transport layer port, transport layer protocol number; For global safety alliance, according to the tlv triple of object IP address, Security Parameter Index, security protocol successively sequence from big to small;
Then, using cumulative the computing capability of each member device as total computing capability, each member device computing capability and the load ratio that always ratio of computing capability arrives as this devices allocation, obtain the actual security strategy coming into force of this equipment and Security Association from global safety strategy and global safety alliance successively respectively according to device numbering and load ratio, for every equipment, in global policies and overall alliance, remove the actual security strategy coming into force of this equipment and Security Association, remaining belong to security strategy and the Security Association that this equipment only upgrades;
Load management module is according to security strategy and the Security Association of the actual security strategy coming into force of this equipment of group inter-sync information regular update of regularly receiving and Security Association and only renewal, if there is equipment failure, the assigned load of this equipment, the actual security strategy coming into force of this equipment and Security Association will be redistributed to other equipment according to the computing capability of other equipment.
Further, in step 5, the MAC Address that virtual ip address or gateway ip address are corresponding is set to configurable multicast MAC Address, all link layer address analysis request that address transponder carries out for the virtual ip address to IPSec VPN cluster or gateway ip address, the unified multicast MAC Address of responding as arranging, all IP datagram literary compositions out of the station that need to carry out IPSec processing out of the station like this and ike negotiation message can arrive by multicast channel every equipment of cluster.
Further, in step 6, described data distribution device provides different processing paths to be specially to the IP datagram literary composition of departures:
For the data message being within the executed security strategy of the machine or Security Association scope, carry out normal IPSec processing;
Data message for being in outside the executed security strategy of the machine or Security Association scope but within security strategy and the Security Association scope only upgraded, only carry out the renewal of the renewal of the renewal of sequence number or the checking of sequence number and anti-playback window and security strategy and Security Association life cycle, and by this packet loss;
When equipment fault in cluster can not be worked, the load of this equipment will be shared other equipment by group inter-sync module and load management module, realize zero interval seamless switching of load.
Beneficial effect of the present invention is:
The present invention has realized the work IP address of the IPSEC VPN cluster being made up of different IP SEC VPN equipment unique and effective load balancing and redundancy backup, does not need to increase special load-balancing device casing and realize the distribution of load, has reduced cost.In the out of order situation of main controlled node, can re-elect new main controlled node, avoid Single Point of Faliure to cause the collective of multimachine assembly to be lost efficacy, there is quite high reliability.
Brief description of the drawings
Fig. 1 is IPSec VPN cluster load-balancing function modular structure schematic diagram of the present invention.
Embodiment
System of the present invention comprises some IPSec VPN equipment, and every IPSec VPN equipment has all moved computing capability evaluation module, group inter-sync module, load management module, address transponder, data sorter.
Computing capability evaluation module moves 10,000 long RSA signature computings of 2048 bit moulds for computing capability evaluation module in the mode of multithreading, and calculate the signature speed that be unit in proper order/second, as the computing capability assessment result of its place IPSec VPN equipment.
Group inter-sync module is responsible for carrying out between all member devices in same cluster security strategy, Security Association and the presence mutual and synchronous and that the formation overall situation is consistent of security strategy SP, security alliance SA, presence and computing capability information.
Load management module obtains by group inter-sync information security strategy, Security Association and the presence that the overall situation is consistent, carries out the distribution of data payload and distributes the actual security strategy coming into force and Security Association are set according to the load of the machine according to the difference of each IPSec VPN equipment computing capability in group.
The virtual address information that address transponder arranges according to the overall situation, carries out consistent response to the IP datagram literary composition from Intranet departures with the link layer address request (being the MAC Address of 48 bits ethernet environment) from the inbound IP datagram literary composition of outer net.
Data sorter provides different processing paths to IP datagram literary composition out of the station within whether being in the executed security strategy of the machine or Security Association according to data message.
Every IPSec VPN equipment in described cluster all arranges a configurable ip multicast address, as address in group, group inter-sync module is regularly delivered to the security strategy of this TV station equipment, Security Association, presence and computing capability assessment result other member devices of cluster by the mode of multicast, also accept security strategy, Security Association, presence and the computing capability assessment result that other member devices pass over by multicast, form consistent security strategy and the Security Association of this cluster overall situation simultaneously.
The each IPSec VPN of described device clusters equipment has shared virtual ip address, as the shared IPSec vpn tunneling source IP address of this cluster, the source IP address of all departures IP datagram literary compositions by this cluster processing after all using the shared virtual ip address of the each member device of this cluster as tunnel encapsulation, and all inbound IPSec messages taking this virtual ip address as object IP address will be received by all online member device in cluster.
Below in conjunction with Fig. 1, the specific works step of said system is described.
Step 1: for same IPSec VPN device clusters arranges the shared virtual ip address of each member device, as the shared IPSec vpn tunneling source IP address of this cluster.The source IP address of all departures IP datagram literary compositions by this cluster processing after all using this virtual ip address as tunnel encapsulation, and all inbound IPSec messages taking this virtual ip address as object IP address will be received by all online member device in cluster.
Step 2: when the IPSec VPN equipment in same cluster starts, operation computing capability evaluation module, this module is moved 10,000 long RSA signature computings of 2048 bit moulds in the mode of multithreading, and calculate the signature speed that be unit in proper order/second, as the computing capability assessment result of this IPSec VPN equipment.
Step 3: every IPSec VPN equipment in same cluster all arranges a configurable ip multicast address, as address in group.Group inter-sync module is regularly delivered to the security strategy of this TV station equipment, Security Association, presence and computing capability assessment result other member devices of cluster by the mode of multicast, also accept security strategy, Security Association, presence and the computing capability assessment result that other member devices pass over by multicast, form consistent security strategy and the Security Association of this cluster overall situation simultaneously.
Step 4: load management module is carried out the distribution of data payload according to the difference of each IPSec VPN equipment computing capability in group and distributed the actual security strategy coming into force and Security Association are set according to the load of the machine.First, sort and number unified all devices in cluster according to each member device real ip address order from big to small; For global safety strategy, according to the five-tuple sequence from big to small successively of source IP address, object IP address, source transport layer port, object transport layer port, transport layer protocol number; For global safety alliance, according to the tlv triple of object IP address, Security Parameter Index, security protocol successively sequence from big to small.Then, using cumulative the computing capability of each member device as total computing capability, each member device computing capability and the load ratio that always ratio of computing capability arrives as this devices allocation, obtain the actual security strategy coming into force of this equipment and Security Association from global safety strategy and global safety alliance successively respectively according to device numbering and load ratio, for every equipment, in global policies and overall alliance, remove the actual security strategy coming into force of this equipment and Security Association, remaining belong to security strategy and the Security Association that this equipment only upgrades.The actual security strategy coming into force of this equipment of group inter-sync information regular update that load management module is regularly received basis and Security Association and the security strategy and the Security Association that only upgrade, if there is equipment failure, the assigned load of this equipment, the actual security strategy coming into force of this equipment and Security Association will be redistributed to other equipment according to the computing capability of other equipment.
Step 5: under ethernet environment, for each data message out of the station, all the virtual ip address to IPSec VPN cluster or gateway ip address are carried out to link layer address parsing, ask the MAC Address of 48 bits that virtual ip address or gateway ip address are corresponding.The MAC Address of 48 bits that the present invention's virtual ip address or gateway ip address are corresponding is set to configurable multicast MAC Address, the MAC Address that 01:00:5e is prefix.All link layer address analysis request that address transponder carries out for the virtual ip address to IPSec VPN cluster or gateway ip address, the unified multicast MAC Address of responding as arranging.All IP datagram literary compositions out of the station that need to carry out IPSec processing out of the station like this and ike negotiation message can arrive by multicast channel every equipment of cluster.
Step 6: data sorter provides different processing paths to IP datagram literary composition out of the station within whether being in the executed security strategy of the machine or Security Association scope according to the data message receiving.For the data message being within the executed security strategy of the machine or Security Association scope, carry out normal IPSec processing (triggering renewal, renewal life cycle etc. of ike negotiation, encryption and decryption, completeness check/checking, tunnel encapsulation/reconstruct, sequence number and anti-playback window); Data message for being in outside the executed security strategy of the machine or Security Association scope but within security strategy and the Security Association scope only upgraded, only carry out the renewal of the renewal of the renewal of sequence number (departures) or the checking of sequence number and anti-playback window (inbound) and security strategy and Security Association life cycle, and by this packet loss.If having equipment fault in cluster can not work, the load of this equipment will be shared other equipment by group inter-sync module and load management module, show as the actual security strategy that comes into force and only upgrade of each equipment, the variation of Security Association, and because each equipment can receive all data messages, sequence number and anti-playback window, the real-time update information such as life cycle are always along with data message upgrades, so now only need to adjust the processing path of data message, the operation conditions of whole system be there is no to any impact, can realize zero interval seamless switching of load.
Beneficial effect of the present invention is:
The present invention has realized the work IP address of the IPSec VPN cluster being made up of different IP Sec VPN equipment unique and effective load balancing and redundancy backup, departures IP datagram stationery through different IP Sec VPN device processes has identical source IP address, and the automatic distribution of load can be realized in inbound IP datagram literary composition; Between many distinct devices, realize the instant synchronous of sequence number and anti-playback window, realize zero interval seamless switching of load.
Claims (8)
1. the IPSec VPN device clusters system of a load balancing, it is characterized in that, comprise some IPSec VPN equipment, every IPSec VPN equipment has all moved computing capability evaluation module, group inter-sync module, load management module, address transponder, data sorter;
Computing capability evaluation module, for the computing of signing of IPSec VPN equipment when starting in same cluster, obtains the computing capability assessment result of its place IPSec VPN equipment;
Group inter-sync module is responsible for carrying out between all member devices in same cluster security strategy, Security Association and the presence mutual and synchronous and that the formation overall situation is consistent of security strategy, Security Association, presence and computing capability information;
Load management module obtains by group inter-sync information security strategy, Security Association and the presence that the overall situation is consistent, carry out the distribution of data payload according to the difference of each IPSec VPN equipment computing capability in group, and distribute the actual security strategy coming into force and Security Association are set according to the load of its place IPSec VPN equipment;
Address transponder is according to the unified virtual address information arranging of all IPSec VPN equipment in system, to the IP datagram literary composition from Intranet departures with carry out consistent response from the link layer address request of the inbound IP datagram literary composition of outer net;
Data sorter provides different processing paths to IP datagram literary composition out of the station within whether being in its place executed security strategy of IPSec VPN equipment or Security Association according to data message.
2. the IPSec VPN device clusters system of load balancing as claimed in claim 1, it is characterized in that, every IPSec VPN equipment in described cluster all arranges a configurable ip multicast address, as address in group, group inter-sync module is regularly by the security strategy of this TV station equipment, Security Association, presence and computing capability assessment result are delivered to other member devices of cluster by the mode of multicast, also accept the security strategy that other member devices pass over by multicast simultaneously, Security Association, presence and computing capability assessment result, form consistent security strategy and the Security Association of this cluster overall situation.
3. the IPSec VPN device clusters system of load balancing as claimed in claim 1 or 2, it is characterized in that, the each IPSec VPN of described device clusters equipment has shared virtual ip address, as the shared IPSec vpn tunneling source IP address of this cluster, the source IP address of all departures IP datagram literary compositions by this cluster processing after all using the shared virtual ip address of the each member device of this cluster as tunnel encapsulation, and all inbound IPSec messages taking this virtual ip address as object IP address will be received by all online member device in cluster.
4. the IPSec VPN device clusters system of load balancing as claimed in claim 1, it is characterized in that, computing capability evaluation module moves 10,000 long RSA signature computings of 2048 bit moulds in the mode of multithreading, and calculate the signature speed that be unit in proper order/second, as the computing capability assessment result of its place IPSec VPN equipment.
5. the method for work of the IPSec VPN device clusters system of the load balancing as described in any one in claim 1 ~ 4, is characterized in that, comprises the steps:
Step 1: for same IPSec VPN device clusters arranges the shared virtual ip address of each member device, as the shared IPSec vpn tunneling source IP address of this cluster;
Step 2: when the IPSec VPN equipment in same cluster starts, move computing capability evaluation module, obtain the computing capability assessment result of each IPSec VPN equipment;
Step 3: every IPSec VPN equipment in same cluster all arranges a configurable ip multicast address, as address in group;
Step 4: load management module is carried out the distribution of data payload according to the difference of each IPSec VPN equipment computing capability in group and distributed the actual security strategy coming into force and Security Association are set according to the load of the machine;
Step 5: under ethernet environment, the data message out of the station to each, virtual ip address or gateway ip address to IPSec VPN cluster carry out link layer address parsing, ask the MAC Address of 48 bits that virtual ip address or gateway ip address are corresponding;
Step 6: data sorter provides different processing paths to IP datagram literary composition out of the station within whether being in the executed security strategy of the machine or Security Association scope according to the data message receiving.
6. the method for work of the IPSec VPN device clusters system of load balancing as claimed in claim 5, is characterized in that, described step 4 is specially:
First, sort and number unified all devices in cluster according to each member device real ip address order from big to small; For global safety strategy, according to the five-tuple sequence from big to small successively of source IP address, object IP address, source transport layer port, object transport layer port, transport layer protocol number; For global safety alliance, according to the tlv triple of object IP address, Security Parameter Index, security protocol successively sequence from big to small;
Then, using cumulative the computing capability of each member device as total computing capability, each member device computing capability and the load ratio that always ratio of computing capability arrives as this devices allocation, obtain the actual security strategy coming into force of this equipment and Security Association from global safety strategy and global safety alliance successively respectively according to device numbering and load ratio, for every equipment, in global policies and overall alliance, remove the actual security strategy coming into force of this equipment and Security Association, remaining belong to security strategy and the Security Association that this equipment only upgrades;
Load management module is according to security strategy and the Security Association of the actual security strategy coming into force of this equipment of group inter-sync information regular update of regularly receiving and Security Association and only renewal, if there is equipment failure, the assigned load of this equipment, the actual security strategy coming into force of this equipment and Security Association will be redistributed to other equipment according to the computing capability of other equipment.
7. the method for work of the IPSec VPN device clusters system of load balancing as claimed in claim 5, it is characterized in that, in step 5, the MAC Address that virtual ip address or gateway ip address are corresponding is set to configurable multicast MAC Address, all link layer address analysis request that address transponder carries out for the virtual ip address to IPSec VPN cluster or gateway ip address, the unified multicast MAC Address of responding as arranging, all IP datagram literary compositions out of the station that need to carry out IPSec processing out of the station like this and ike negotiation message can arrive by multicast channel every equipment of cluster.
8. the method for work of the IPSec VPN device clusters system of load balancing as claimed in claim 5, is characterized in that, in step 6, described data distribution device provides different processing paths to be specially to the IP datagram literary composition of departures:
For the data message being within the executed security strategy of the machine or Security Association scope, carry out normal IPSec processing;
Data message for being in outside the executed security strategy of the machine or Security Association scope but within security strategy and the Security Association scope only upgraded, only carry out the renewal of the renewal of the renewal of sequence number or the checking of sequence number and anti-playback window and security strategy and Security Association life cycle, and by this packet loss;
When equipment fault in cluster can not be worked, the load of this equipment will be shared other equipment by group inter-sync module and load management module, realize zero interval seamless switching of load.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460656.1A CN104184675B (en) | 2014-09-12 | 2014-09-12 | The IPSec VPN devices group system and its method of work of a kind of load balancing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460656.1A CN104184675B (en) | 2014-09-12 | 2014-09-12 | The IPSec VPN devices group system and its method of work of a kind of load balancing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104184675A true CN104184675A (en) | 2014-12-03 |
| CN104184675B CN104184675B (en) | 2017-05-31 |
Family
ID=51965433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410460656.1A Active CN104184675B (en) | 2014-09-12 | 2014-09-12 | The IPSec VPN devices group system and its method of work of a kind of load balancing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104184675B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954222A (en) * | 2015-05-22 | 2015-09-30 | 东南大学 | Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols |
| WO2017070973A1 (en) * | 2015-10-31 | 2017-05-04 | 华为技术有限公司 | Internet protocol security tunnel establishing method, user equipment and base station |
| CN108322330A (en) * | 2017-12-26 | 2018-07-24 | 成都卫士通信息产业股份有限公司 | A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus |
| CN112714069A (en) * | 2021-01-06 | 2021-04-27 | 上海交通大学 | Method for lowering shunting module to network card hardware in IPSec security gateway environment |
| CN113312151A (en) * | 2021-06-23 | 2021-08-27 | 哈尔滨工程大学 | Load balancing method of IPSecVPN cluster |
| CN116155477A (en) * | 2023-04-18 | 2023-05-23 | 湖北省楚天云有限公司 | IPsec anti-replay method and system based on dynamic sliding window |
| CN117240455A (en) * | 2023-10-16 | 2023-12-15 | 北京环宇博亚科技有限公司 | Encryption system based on IPsec link encryption method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8104081B2 (en) * | 2005-11-15 | 2012-01-24 | Avaya Inc. | IP security with seamless roaming and load balancing |
| US8364948B2 (en) * | 2004-07-02 | 2013-01-29 | Hewlett-Packard Development Company, L.P. | System and method for supporting secured communication by an aliased cluster |
| CN103107973A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | High availability method and high availability device for achieving security protocol |
| CN103200094A (en) * | 2013-03-14 | 2013-07-10 | 成都卫士通信息产业股份有限公司 | Method for achieving gateway dynamic load distribution |
-
2014
- 2014-09-12 CN CN201410460656.1A patent/CN104184675B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8364948B2 (en) * | 2004-07-02 | 2013-01-29 | Hewlett-Packard Development Company, L.P. | System and method for supporting secured communication by an aliased cluster |
| US8104081B2 (en) * | 2005-11-15 | 2012-01-24 | Avaya Inc. | IP security with seamless roaming and load balancing |
| CN103107973A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | High availability method and high availability device for achieving security protocol |
| CN103200094A (en) * | 2013-03-14 | 2013-07-10 | 成都卫士通信息产业股份有限公司 | Method for achieving gateway dynamic load distribution |
Non-Patent Citations (2)
| Title |
|---|
| 周振斌,唐剑琪: "《基于负载均衡的高吞吐量IPsec VPN系统》", 《计算机工程与应用》 * |
| 尹建平: "《基于IPSec的分布式集群VPN应用研究》", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954222A (en) * | 2015-05-22 | 2015-09-30 | 东南大学 | Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols |
| WO2017070973A1 (en) * | 2015-10-31 | 2017-05-04 | 华为技术有限公司 | Internet protocol security tunnel establishing method, user equipment and base station |
| CN107005410A (en) * | 2015-10-31 | 2017-08-01 | 华为技术有限公司 | Internet protocol security tunnel establishing method, user equipment and base station |
| CN107005410B (en) * | 2015-10-31 | 2020-06-26 | 大势至(北京)软件工程有限公司 | Internet protocol security tunnel establishment method, user equipment and base station |
| CN108322330A (en) * | 2017-12-26 | 2018-07-24 | 成都卫士通信息产业股份有限公司 | A kind of IPSEC VPN sequence numbers and anti-playback window synchronization method and apparatus |
| CN108322330B (en) * | 2017-12-26 | 2021-03-02 | 成都卫士通信息产业股份有限公司 | IPSEC VPN serial number and anti-replay window synchronization method and device |
| CN112714069A (en) * | 2021-01-06 | 2021-04-27 | 上海交通大学 | Method for lowering shunting module to network card hardware in IPSec security gateway environment |
| CN113312151A (en) * | 2021-06-23 | 2021-08-27 | 哈尔滨工程大学 | Load balancing method of IPSecVPN cluster |
| CN116155477A (en) * | 2023-04-18 | 2023-05-23 | 湖北省楚天云有限公司 | IPsec anti-replay method and system based on dynamic sliding window |
| CN116155477B (en) * | 2023-04-18 | 2023-07-18 | 湖北省楚天云有限公司 | IPsec anti-replay method and system based on dynamic sliding window |
| CN117240455A (en) * | 2023-10-16 | 2023-12-15 | 北京环宇博亚科技有限公司 | Encryption system based on IPsec link encryption method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104184675B (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104184675A (en) | Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system | |
| CN104270298B (en) | Message forwarding method and device in a kind of VXLAN networks | |
| CN107852365B (en) | Method and apparatus for dynamic VPN policy model | |
| CN107294711B (en) | Power information intranet message encryption issuing method based on VXLAN technology | |
| CN104335531B (en) | PVLAN is realized in large-scale distributed virtual switch | |
| CN103475655B (en) | A kind of method realizing IPSecVPN main/slave link switching at runtime | |
| CN104202409B (en) | The SSL VPN devices group system and its method of work of a kind of load balancing | |
| CN102025646B (en) | Link switching method and device thereof | |
| US9515845B2 (en) | Utility communication method and system | |
| CN103067290B (en) | The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card | |
| CN104780069B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
| CN106936777A (en) | Cloud computing distributed network implementation method based on OpenFlow, system | |
| CN104283701A (en) | Method, system and device for issuing configuration information | |
| CN103763310A (en) | Firewall service system and method based on virtual network | |
| CN103166849B (en) | The method of the interconnected network routing convergence of IPSec VPN and routing device | |
| CN101917294B (en) | Method and equipment for updating anti-replay parameter during master and slave switching | |
| CN104023022B (en) | A kind of IPSec SA acquisition methods and device | |
| CN101072157A (en) | Virtual special net load backup system and its establishing method and data forwarding method | |
| CN107735989A (en) | The method and system that website interconnects on transmission network | |
| CN106034052A (en) | System and method for monitoring two-layer traffic among virtual machines | |
| CN110383280A (en) | Method and apparatus for the end-to-end stream of packets network with network safety for Time Perception | |
| CN107040441A (en) | Data transmission method, apparatus and system across data center | |
| CN103825815A (en) | Method, device and system for carrying out redundant backup among network virtual edge devices | |
| CN106027491A (en) | Independent link type communication processing method and system based on isolated IP (Internet Protocol) address | |
| Shin et al. | Performance improvement for the HSR ring protocol with traffic control in smart grid |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |